In this episode of Cybersecurity Today, host Jim Love engages in a comprehensive conversation with Krish Banerjee, the Canada Managing Director at Accenture for AI and Data. They delve into the stark difference between perceived and actual preparedness for cybersecurity in the face of growing AI adoption. The discussion spans topics such as the role of AI in enterprise productivity, the need for better data management, and the integration of AI into various business functions. They also explore the importance of digital sovereignty, the challenges and opportunities in Canada's adoption of AI, and how open-source AI can benefit organizations. Krish emphasizes the significance of setting a clear value-driven goal, having the right tools and talent, and the necessity of adopting AI responsibly. The conversation wraps up with insights on how executives can navigate the AI landscape and prepare their organizations for future advancements.
00:00 Introduction to Cybersecurity and AI Concerns
02:10 Interview with Krish Banerjee: AI in Canada
03:17 The Evolution and Impact of AI
06:42 Enterprise AI: Challenges and Opportunities
15:20 Digital Sovereignty and National AI Strategies
25:07 Accelerating Technological Adoption
26:18 Dream Projects in AI
27:49 AI for Healthcare and Commercialization
31:02 The Future of AI and Economic Impact
35:31 Agentic AI: The Next Frontier
41:14 Open Source AI and Democratization
43:23 Advice for Executives and Parents
49:10 Conclusion and Final Thoughts
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Criminal organizations are usingubiquitous technical surveillance
to find and kill police informants.
Hawaiian Airline's second majorNorth American airline, hit
with cyber attack this month.
Bluetooth flaws could let hackers spythrough your microphone and US Supreme
Court upholds Texas porn ID law.
(00:21):
This is Cybersecurity today, andI'm your host, David Shipley.
Let's get started.
A stunning report by the US Departmentof Justice's, office of the Inspector
General has revealed an existentialthreat to the work of the FBI and
other government agencies, so-calledUbiquitous Technical Surveillance, or
UTS refers to the global proliferationof internet connected cameras and
(00:45):
the thriving trade in vast amounts ofcommunications, travel, and location data.
In the report released late last week,it was revealed that a cyber criminal
working for the Sinaloa drug cartelobtained an FBI official's phone records
and used Mexico's surveillance cameras totrack and kill the agency's informants.
In 2018, the instant was revealedin an audit of the FBI's efforts
(01:10):
to mitigate the risks of UTS.
The report details how the carteloperative identified an FBI
assistant legal at attache tothe US Embassy in Mexico City.
It showed how they were able to use theatache's phone number to obtain calls made
and received as well as geolocation data.
The report said the operative usedMexico City's camera system to follow
(01:33):
the FBI official throughout the city andidentify people the official had met with.
The cartel then used that informationto intimidate and kill potential
sources or cooperating witnesses.
The collection of granular locationdata from people's phones has proven
to be a double-edged sword for lawenforcement and intelligence agencies.
While they have benefited fromUTS in their investigations,
(01:55):
criminal organizations can alsouse those same tools to find and
kill informants a crucial resource.
That many complex investigationsdepend on the audit report said
Technological advances since 2018 havemade it easier for less sophisticated
nations and criminal enterprises toidentify and exploit vulnerabilities.
(02:17):
It's faster and easier forthem now more than ever.
This is an example of cybersecuritygaps in critical infrastructure and
the risk of unchecked data brokerspose in getting people hurt or
killed, and it makes us all less safe.
And this news comes after theassassination of former Minnesota
House of Representative SpeakerMelissa Hortman and her husband, Mark.
(02:41):
With the discovery of a list of databrokers and instructions on how to use
them, found in the accused murderer's car.
The assassin had earlier tried to killDemocratic State Senator John Hoffman
and his wife Yvette, in their home.
John Hoffman was shot ninetimes and his wife eight times.
Both are recovering.
The Horman's were buried on Saturday.
(03:03):
The killer had disguised himselfas a police officer, and a list of
dozens of other potential targetswas found by police, along with the
names of 11 different data brokers.
The list included notations aboutwhat services were free to use and
how much information they requiredin order to obtain detailed data
about the individuals being searchedfor, according to an FBI affidavit.
(03:27):
Data brokers collect a vast amountof detailed information on all of
us, including names, home addresses,phone numbers, as well as our
relatives, names, and home addresses,and publish that information online
or trade it to other brokers.
They typically require paid access,but anyone buying the data can do
so without much, or if any vetting.
(03:49):
Lawmakers from various states haveworked on legislation to force data
brokers to delete data on politiciansand law enforcement officers, But
everyone should have those samerights for the exact same reason.
Physical safety.
Court officials, journalists, medicalprofessionals, victims of intimate partner
violence, members of targeted communities.
(04:11):
The list goes on and on.
Privacy is a fundamental humanright and increasingly it's
crucial for physical safety.
Hawaiian airlines warn on Thursday nightthat some of its IT systems were disrupted
by a cyber attack, although flightoperations were not, they did not disclose
the exact nature of the attack, but thelanguage they used was typical of that
(04:35):
You can find in a ransomware incident.
As of Sunday afternoon, no further detailson the Hawaiian attack have been provided.
The attack comes a weekafter Canadian airline.
WestJet described.
It had also been the victimof a cyber attack, as with the
Hawaiian Airlines incident.
Flight operations thankfullywere not compromised.
WestJet has since not disclosed anyfurther details in its cyber attack,
(04:59):
which also looks likely to be ransomware.
Friday night, the FBI said that thenotorious threat actor Scattered Spider
was observed targeting major airlines.
Scattered spider refers to a loosecollective of mostly English speaking
teenage males who work with theinternational ransomware gangs.
The group was most recently behind over$600 million in disruptions to the food
(05:21):
and retail sector in the UK, and it hasturned its attention to the insurance
industry hitting Aflac earlier this month.
Scattered Spider has been on atear since 2025 with successful
attacks on Dior, the North Face,Cartier, Victoria's Secret, Adidas,
Coca-Cola, and United Natural Foods.
The group gained notoriety forattacks on MGM and Caesar's Palace.
(05:44):
The key to Scattered Spider's successis their use of social engineering.
They're prolific users of phishing byemail, phone call, and text message.
They've used SIM swapping hijacks todefeat multifactor authentication.
They've also used MFA fatigue,also known as MFA bombing to
get targets to approve access.
(06:05):
The group has also been known touse attacker in the middle or A
ITM phishing kits like Evil Jinxto steal live user sessions.
All of these tactics have laid barethe mislabeling of MFA tools as being,
quote unquote, phishing resisted.
MFA tools are important.
They help defeat brute force attacksup to 99% of the time, but a determined
(06:27):
attacker as shown will find waysto defeat them if your people and
processes aren't resilient as well.
Scattered Spider has even gone so faras the social engineer domain registrars
to take control of an organization'sDNS records, to hijack mail routing,
or MX records to capture inboundemails and to take over a business app
(06:50):
environment like Google Workspace orOffice 365, their latest successes using
targeted attacks on help desk processes.
They gather information from publicsources like LinkedIn, then use social
engineering pressure tactics to convincehelp desk teams to reset privileged
user access or grant new access.
(07:11):
And there is no easy technical solutionto threats like Scattered Spider.
It takes a combination oftechnology, controls, security,
culture, and process change.
If you wanna make your organizationresilient to Scattered Spider and
other threat actors now copying theirhighly successful tactics, you need
to change your help desk processes.
(07:32):
You need to ensure that your helpdesk personnel are incentivized
to challenge access requestssufficiently and stop measuring
your help desk on access requests.
Like it's a typical service requestthat should be solved as quickly as
possible to the lowest level as possible.
And additionally, if anyone in yourorganization, regardless of title,
(07:55):
gives your help desk any trouble ordisrespect for a more rigorous process,
those individuals need to be called out
that's how you createa more secure culture.
That's how you buildresiliency to Scattered Spider.
We can now add another set of Bluetoothvulnerabilities to the long list of ways
devices can be hacked and turned intoconvenient Internet of things wiretaps.
(08:20):
More than two dozen audio devices from10 vendors use the same Bluetooth chip
set that can be hacked for eavesdropping.
Researchers confirmed that 29devices from Biodynamic, Bose, Sony
Marshall Jabra, JBLJ Lab, Eris Max,more labs and Tofl are affected.
The list of impacted productsinclude speakers, earbuds,
(08:41):
headphones, and wireless microphones.
A chain of critical vulnerabilities can beleveraged to take over a targeted product.
In some phones, an attacker withinConnection Range may be able to even
extract call history and context.
These vulnerabilities weredisclosed at the Trooper Security
Conference by researchers atthe cybersecurity company, ERNW.
(09:03):
They impact the a OA system ona chip, which is used in the
true wireless or TWS systems.
The good news is that thesevulnerabilities weren't remotely
accessible over the internet.
They rely on close proximity withinstandard Bluetooth range, which is
typically about 10 meters or 33 feet.
Though newer versions of Bluetooth canreach up to 240 meters or 800 feet.
(09:27):
Factors such as walls andcompeting radio traffic have
huge impacts on Bluetooth range.
The vulnerabilities tied to this areCVE 20 25, 2700, which is a 6.7 on
the severity score or medium missingauthentication for GAT services CVE 20
25, 27 0 1, another 6.7 medium missingauthentication for Bluetooth, br EDR.
(09:54):
And CVE 20 25, 27 0 2, a 7.5 orhigh severity score, critical
capabilities of a custom protocol.
While the vulnerabilities as theywere, were not remotely executable,
the researchers did disclose thatvulnerable device firmware could
potentially have been rewritten toenable remote code execution that
(10:17):
would've laid the groundwork fora vulnerable exploit capable of
propagating across multiple devices.
It's not a stretch to see how criminalscould use a vulnerability like this to
create a chain of infected devices acrosslaw enforcement, informants, and others.
Or another example how these kindsof vulnerabilities could be used to
target politicians' devices to harvestconversations or to track them improving
(10:42):
the security of digital devices.
Everyone depends on is vital to improvethe protection from all sorts of crimes,
digital or very serious physical crime.
Finally, a US Supreme Court decision hasupheld the legality of Texas's porn ID
law on Friday in a six three decisionthat could reshape online privacy
(11:03):
and free speech in the United States.
The Supreme Court upheld Texas' ageverification law, which was one of
the first of more than a dozen suchlaws since passed by other states.
The law requires websites publishingpornographic content to check.
All visitors are over 18.
It has $10,000 fines per day forwebsites that are more than one
(11:23):
third sexual material that don'thave age verification in place with
additional penalties of up to $250,000.
The law also forces such sitesto display warnings about the
health risks of pornography.
The US isn't the only country to tryand pass such age verification laws
the UK did so years ago only to delayand eventually abandon them in 2019.
(11:48):
Since then, a wave of technologycompanies has emerged to sell
age verification software.
These methods can include, but aren'tlimited to checking someone's identity
against a government ID providingbanking details or using face checking
systems that can predict someone's age.
The idea is to have third partycompanies, not necessarily the
(12:09):
pornographic websites, do the checking.
Privacy and civil liberties experts havenoted that any collection of someone's
access or use of pornographic materialcan have devastating consequences.
Examples include the breach of adulterywebsite, Ashley Madison, which was
linked to at least one suicide.
And the risks for these services are real.
(12:29):
One major ID verificationservice used by TikTok, Uber
Hospitality and Banking Services.
Called a U 10 TIX, or Authentic suffereda data breach last year after the exposed
administrative credentials online for morethan a year in Canada Senate Bill S 2 0 9
also seeks to put similar age verificationtools on pornographic websites.
(12:53):
Now last week, the preliminary results ofan age checking trial in Australia, which
had passed recent laws to ban childrenunder 16 from accessing social media
found such systems may not be effective.
As well.
Virtual private networks or VPNscan be used to easily circumvent
age-based verification requirementsthat are based on geography.
(13:15):
In addition to the severe personalrisks faced by individuals, if identity
verification services are breached, thepresence of such controls may drive people
to illegal websites that may attempt toinfect their devices or could be used as
part of criminal money laundering efforts.
As always, stay skepticaland stay patched.
. We're always interested in youropinion, and you can contact us at
(13:38):
editorial@technewsday.ca or leavea comment under the YouTube video.
I've been your host, DavidShipley, sitting in for Jim
Love, thanks for listening.
Criminal organizations are usingubiquitous technical surveillance
to find and kill police informants.
Hawaiian Airline's second majorNorth American airline, hit
with cyber attack this month.
Bluetooth flaws could let hackers spythrough your microphone and US Supreme
Court upholds Texas porn ID law.
(00:21):
This is Cybersecurity today, andI'm your host, David Shipley.
Let's get started.
A stunning report by the US Departmentof Justice's, office of the Inspector
General has revealed an existentialthreat to the work of the FBI and
other government agencies, so-calledUbiquitous Technical Surveillance, or
UTS refers to the global proliferationof internet connected cameras and
(00:45):
the thriving trade in vast amounts ofcommunications, travel, and location data.
In the report released late last week,it was revealed that a cyber criminal
working for the Sinaloa drug cartelobtained an FBI official's phone records
and used Mexico's surveillance cameras totrack and kill the agency's informants.
In 2018, the instant was revealedin an audit of the FBI's efforts
(01:10):
to mitigate the risks of UTS.
The report details how the carteloperative identified an FBI
assistant legal at attache tothe US Embassy in Mexico City.
It showed how they were able to use theatache's phone number to obtain calls made
and received as well as geolocation data.
The report said the operative usedMexico City's camera system to follow
(01:33):
the FBI official throughout the city andidentify people the official had met with.
The cartel then used that informationto intimidate and kill potential
sources or cooperating witnesses.
The collection of granular locationdata from people's phones has proven
to be a double-edged sword for lawenforcement and intelligence agencies.
While they have benefited fromUTS in their investigations,
(01:55):
criminal organizations can alsouse those same tools to find and
kill informants a crucial resource.
That many complex investigationsdepend on the audit report said
Technological advances since 2018 havemade it easier for less sophisticated
nations and criminal enterprises toidentify and exploit vulnerabilities.
(02:17):
It's faster and easier forthem now more than ever.
This is an example of cybersecuritygaps in critical infrastructure and
the risk of unchecked data brokerspose in getting people hurt or
killed, and it makes us all less safe.
And this news comes after theassassination of former Minnesota
House of Representative SpeakerMelissa Hortman and her husband, Mark.
(02:41):
With the discovery of a list of databrokers and instructions on how to use
them, found in the accused murderer's car.
The assassin had earlier tried to killDemocratic State Senator John Hoffman
and his wife Yvette, in their home.
John Hoffman was shot ninetimes and his wife eight times.
Both are recovering.
The Horman's were buried on Saturday.
(03:03):
The killer had disguised himselfas a police officer, and a list of
dozens of other potential targetswas found by police, along with the
names of 11 different data brokers.
The list included notations aboutwhat services were free to use and
how much information they requiredin order to obtain detailed data
about the individuals being searchedfor, according to an FBI affidavit.
(03:27):
Data brokers collect a vast amountof detailed information on all of
us, including names, home addresses,phone numbers, as well as our
relatives, names, and home addresses,and publish that information online
or trade it to other brokers.
They typically require paid access,but anyone buying the data can do
so without much, or if any vetting.
(03:49):
Lawmakers from various states haveworked on legislation to force data
brokers to delete data on politiciansand law enforcement officers, But
everyone should have those samerights for the exact same reason.
Physical safety.
Court officials, journalists, medicalprofessionals, victims of intimate partner
violence, members of targeted communities.
(04:11):
The list goes on and on.
Privacy is a fundamental humanright and increasingly it's
crucial for physical safety.
Hawaiian airlines warn on Thursday nightthat some of its IT systems were disrupted
by a cyber attack, although flightoperations were not, they did not disclose
the exact nature of the attack, but thelanguage they used was typical of that
(04:35):
You can find in a ransomware incident.
As of Sunday afternoon, no further detailson the Hawaiian attack have been provided.
The attack comes a weekafter Canadian airline.
WestJet described.
It had also been the victimof a cyber attack, as with the
Hawaiian Airlines incident.
Flight operations thankfullywere not compromised.
WestJet has since not disclosed anyfurther details in its cyber attack,
(04:59):
which also looks likely to be ransomware.
Friday night, the FBI said that thenotorious threat actor Scattered Spider
was observed targeting major airlines.
Scattered spider refers to a loosecollective of mostly English speaking
teenage males who work with theinternational ransomware gangs.
The group was most recently behind over$600 million in disruptions to the food
(05:21):
and retail sector in the UK, and it hasturned its attention to the insurance
industry hitting Aflac earlier this month.
Scattered Spider has been on atear since 2025 with successful
attacks on Dior, the North Face,Cartier, Victoria's Secret, Adidas,
Coca-Cola, and United Natural Foods.
The group gained notoriety forattacks on MGM and Caesar's Palace.
(05:44):
The key to Scattered Spider's successis their use of social engineering.
They're prolific users of phishing byemail, phone call, and text message.
They've used SIM swapping hijacks todefeat multifactor authentication.
They've also used MFA fatigue,also known as MFA bombing to
get targets to approve access.
(06:05):
The group has also been known touse attacker in the middle or A
ITM phishing kits like Evil Jinxto steal live user sessions.
All of these tactics have laid barethe mislabeling of MFA tools as being,
quote unquote, phishing resisted.
MFA tools are important.
They help defeat brute force attacksup to 99% of the time, but a determined
(06:27):
attacker as shown will find waysto defeat them if your people and
processes aren't resilient as well.
Scattered Spider has even gone so faras the social engineer domain registrars
to take control of an organization'sDNS records, to hijack mail routing,
or MX records to capture inboundemails and to take over a business app
(06:50):
environment like Google Workspace orOffice 365, their latest successes using
targeted attacks on help desk processes.
They gather information from publicsources like LinkedIn, then use social
engineering pressure tactics to convincehelp desk teams to reset privileged
user access or grant new access.
(07:11):
And there is no easy technical solutionto threats like Scattered Spider.
It takes a combination oftechnology, controls, security,
culture, and process change.
If you wanna make your organizationresilient to Scattered Spider and
other threat actors now copying theirhighly successful tactics, you need
to change your help desk processes.
(07:32):
You need to ensure that your helpdesk personnel are incentivized
to challenge access requestssufficiently and stop measuring
your help desk on access requests.
Like it's a typical service requestthat should be solved as quickly as
possible to the lowest level as possible.
And additionally, if anyone in yourorganization, regardless of title,
(07:55):
gives your help desk any trouble ordisrespect for a more rigorous process,
those individuals need to be called out
that's how you createa more secure culture.
That's how you buildresiliency to Scattered Spider.
We can now add another set of Bluetoothvulnerabilities to the long list of ways
devices can be hacked and turned intoconvenient Internet of things wiretaps.
(08:20):
More than two dozen audio devices from10 vendors use the same Bluetooth chip
set that can be hacked for eavesdropping.
Researchers confirmed that 29devices from Biodynamic, Bose, Sony
Marshall Jabra, JBLJ Lab, Eris Max,more labs and Tofl are affected.
The list of impacted productsinclude speakers, earbuds,
(08:41):
headphones, and wireless microphones.
A chain of critical vulnerabilities can beleveraged to take over a targeted product.
In some phones, an attacker withinConnection Range may be able to even
extract call history and context.
These vulnerabilities weredisclosed at the Trooper Security
Conference by researchers atthe cybersecurity company, ERNW.
(09:03):
They impact the a OA system ona chip, which is used in the
true wireless or TWS systems.
The good news is that thesevulnerabilities weren't remotely
accessible over the internet.
They rely on close proximity withinstandard Bluetooth range, which is
typically about 10 meters or 33 feet.
Though newer versions of Bluetooth canreach up to 240 meters or 800 feet.
(09:27):
Factors such as walls andcompeting radio traffic have
huge impacts on Bluetooth range.
The vulnerabilities tied to this areCVE 20 25, 2700, which is a 6.7 on
the severity score or medium missingauthentication for GAT services CVE 20
25, 27 0 1, another 6.7 medium missingauthentication for Bluetooth, br EDR.
(09:54):
And CVE 20 25, 27 0 2, a 7.5 orhigh severity score, critical
capabilities of a custom protocol.
While the vulnerabilities as theywere, were not remotely executable,
the researchers did disclose thatvulnerable device firmware could
potentially have been rewritten toenable remote code execution that
(10:17):
would've laid the groundwork fora vulnerable exploit capable of
propagating across multiple devices.
It's not a stretch to see how criminalscould use a vulnerability like this to
create a chain of infected devices acrosslaw enforcement, informants, and others.
Or another example how these kindsof vulnerabilities could be used to
target politicians' devices to harvestconversations or to track them improving
(10:42):
the security of digital devices.
Everyone depends on is vital to improvethe protection from all sorts of crimes,
digital or very serious physical crime.
Finally, a US Supreme Court decision hasupheld the legality of Texas's porn ID
law on Friday in a six three decisionthat could reshape online privacy
(11:03):
and free speech in the United States.
The Supreme Court upheld Texas' ageverification law, which was one of
the first of more than a dozen suchlaws since passed by other states.
The law requires websites publishingpornographic content to check.
All visitors are over 18.
It has $10,000 fines per day forwebsites that are more than one
(11:23):
third sexual material that don'thave age verification in place with
additional penalties of up to $250,000.
The law also forces such sitesto display warnings about the
health risks of pornography.
The US isn't the only country to tryand pass such age verification laws
the UK did so years ago only to delayand eventually abandon them in 2019.
(11:48):
Since then, a wave of technologycompanies has emerged to sell
age verification software.
These methods can include, but aren'tlimited to checking someone's identity
against a government ID providingbanking details or using face checking
systems that can predict someone's age.
The idea is to have third partycompanies, not necessarily the
(12:09):
pornographic websites, do the checking.
Privacy and civil liberties experts havenoted that any collection of someone's
access or use of pornographic materialcan have devastating consequences.
Examples include the breach of adulterywebsite, Ashley Madison, which was
linked to at least one suicide.
And the risks for these services are real.
(12:29):
One major ID verificationservice used by TikTok, Uber
Hospitality and Banking Services.
Called a U 10 TIX, or Authentic suffereda data breach last year after the exposed
administrative credentials online for morethan a year in Canada Senate Bill S 2 0 9
also seeks to put similar age verificationtools on pornographic websites.
(12:53):
Now last week, the preliminary results ofan age checking trial in Australia, which
had passed recent laws to ban childrenunder 16 from accessing social media
found such systems may not be effective.
As well.
Virtual private networks or VPNscan be used to easily circumvent
age-based verification requirementsthat are based on geography.
(13:15):
In addition to the severe personalrisks faced by individuals, if identity
verification services are breached, thepresence of such controls may drive people
to illegal websites that may attempt toinfect their devices or could be used as
part of criminal money laundering efforts.
As always, stay skepticaland stay patched.
. We're always interested in youropinion, and you can contact us at
(13:38):
editorial@technewsday.ca or leavea comment under the YouTube video.
I've been your host, DavidShipley, sitting in for Jim
Love, thanks for listening.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Special Summer Offer: Exclusively on Apple Podcasts, try our Dateline Premium subscription completely free for one month! With Dateline Premium, you get every episode ad-free plus exclusive bonus content.